1. Field
The present invention relates generally to detecting malicious code associated with a do-not-cache attack.
2. Background
Many computational environments include instructions to fetch one or more instructions directly from RAM. Such instructions are not stored in second level (L2) cache, but instead are directly copied to smaller and faster level one (L1) instruction cache. Normally, bypassing the L2 cache is a benevolent operation. However, the ability to run code without accessing the L2 cache may allow an adversary to replace innocuous code that uses the L2 cache with malicious/corrupt code that does not use the L2 cache, without this being discovered. For example, the malicious code may hide its presence from scanning/detection software if the entire malicious code fits in the L1 cache.
There is therefore a need for an ability to detect malicious code hiding in a first level instruction cache.